Avoid that ft_free_cmd() can finish while ft_recv_seq() is still
in progress, which would cause a use-after-free (seq_set_resp()
waits until any ongoing ft_recv_seq() call has finished).
Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxxxxxx>
Cc: Vasu Dev <vasu.dev@xxxxxxxxx>
---
drivers/target/tcm_fc/tfc_cmd.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/target/tcm_fc/tfc_cmd.c b/drivers/target/tcm_fc/tfc_cmd.c
index 840dac3..93a2d7f 100644
--- a/drivers/target/tcm_fc/tfc_cmd.c
+++ b/drivers/target/tcm_fc/tfc_cmd.c
@@ -88,6 +88,7 @@ void ft_dump_cmd(struct ft_cmd *cmd, const char *caller)
static void ft_free_cmd(struct ft_cmd *cmd)
{
struct fc_frame *fp;
+ struct fc_seq *sp;
struct fc_lport *lport;
struct ft_sess *sess;
@@ -96,8 +97,11 @@ static void ft_free_cmd(struct ft_cmd *cmd)
sess = cmd->sess;
fp = cmd->req_frame;
lport = fr_dev(fp);
- if (fr_seq(fp))
- lport->tt.seq_release(fr_seq(fp));
+ sp = fr_seq(fp);
+ if (sp) {
+ lport->tt.seq_set_resp(sp, NULL, NULL);
+ lport->tt.seq_release(sp);
+ }
fc_frame_free(fp);
percpu_ida_free(&sess->se_sess->sess_tag_pool, cmd->se_cmd.map_tag);
ft_sess_put(sess); /* undo get from lookup at recv */
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
